1. Field of the Invention
The present invention relates to a wireless network, and more particularly, to an intrusion detection sensor with a function for detecting a variety of intrusions, second-layer denial of service attacks, and rogue access point attacks that can occur in a public network wireless LAN or an enterprise wireless LAN network, and an intrusion detection method therefor.
2. Description of the Related Art
The wire Internet allows easy access to a destination computer through a common technology, called a TCP/IP protocol, around the world and makes data communication easier. Also, a variety of applications, such as file exchange, web service, and online game, are enabled on the Internet. These advantages of the Internet are maximized by commercialization of a wireless network.
Currently, most of products used for wireless networks comply with an IEEE 802.11b standard formulated by the Institute of Electrical and Electronics Engineers (IEEE). Wireless LAN products complying with the IEEE 802.11b standard use a frequency band of 2.4 GHz and employ a direct sequence spread spectrum (DSSS) method in the physical layer (PHY). As a protocol in the data link layer, IEEE 802.11 is complied with and as an authentication and security standard, IEEE 802.11 is also complied with. Recently introduced products complying with an IEEE 802.11a standard and an IEEE 802.11g standard employ the same protocol in the data link layer as that of the IEEE 802.11 though the physical layers are different. In the IEEE 802.11a standard, a frequency band of 5.2 GHz or 5.8 GHz is used, and an orthogonal frequency division multiplexing (OFDM) method is employed in the physical layer. The IEEE 802.11g employs the OFDM method in a 2.4 GHz frequency band.
A wireless LAN is broken down roughly into two components: one is an access point (AP) and the other is a wireless network interface card (WNIC). The access point is an apparatus connected to a wire network and playing a role of relaying traffic of wireless users. The WNIC is an apparatus for network interface from a wireless terminal to an access point.
However, there are people who try to profiteer by making bad use of this development of wire and wireless networks and maliciously utilizing or breaking other's information. Also, these people tried to achieve their goals by using the weak points of the TCP/IP protocol or upper-layer protocols. As examples for this, there are a variety of viruses, Trojan horse attacks, and distributed denial of service attacks. Accordingly, in order to protect a subnetwork or a host computer from these attacks, security systems, such as a firewall, an intrusion detection system, and an intrusion protection system, have been introduced. Network administrators of each company watch network flows in and out of the network and prepare against a variety of attacks, by using these systems.
However, the network security problem is much more serious in a wireless network than in a wire network. The reason is that the conventional enterprise network or the Internet is formed all with wire connections, and in order to access the network, an intrusion position should be secured physically. Meanwhile, in case of a wireless network, sniffing and an intrusion attack can be performed any place within a distance that radio waves can reach. Also, in the wireless LAN there are packets for which encryption and authentication are impossible, and these packets can be forged without limit. These packets include 802.11 administration frames, and an extensible authentication protocol (EAP) on LAN (EAPOL) packets before authentication is performed. An attack by an authenticated user is also possible. Accordingly, it is not easy to apply a security policy that is applied to the conventional Internet connection network, to a wireless network.
In order to guarantee the security of a wireless network, there are IEEE 802.1x that is an access control standard through user authentication, Wi-Fi protected access (WPA) to guarantee secrecy and integrity on a wireless connection, and IEEE 802.11i. Nevertheless, new types of attacks that an intrusion detection system used in the conventional wire networks cannot detect with ease have been emerging. Some examples of these attacks are as the following.
FIG. 1 illustrates a second-layer denial of service attack occurring in a conventional wireless network.
In FIG. 1, an authorized terminal 120 is normally connected to a wireless LAN access point 110. AT this time, an attacker 130 analyzes a packet on a wireless network and finds the media access control (MAC) addresses of the authorized terminal 120 and access point 110 currently connected. Then, by forging a disassociation message that is a message to disassociate a connection, among 802.11 management frames, the attacker 130 transmits the message to the authorized terminal 120 as if the message is transmitted by the access point 110 to the authorized terminal 120. Then, the authorized terminal 120 is disconnected and if the disassociation message is continuously received, this terminal 120 cannot establish a connection to the access point 110.
FIG. 2 illustrates an address resolution protocol (ARP) poisoning attack occurring in a conventional wireless network.
In FIG. 2, a first authorized terminal 220, a second authorized terminal 230, and an attacker 240 are normally authenticated and connected to a wireless LAN access point 210. Though the first authorized terminal 220 does not send an ARP request message, the attacker 240 transmits an ARP response message formed with a pair of (the IP address of the second authorized terminal, the MAC address of the attacker). If there is TCP/IP data that the first authorized terminal 220 desires to transmit to the second authorized terminal 230, the first authorized terminal 220 refers to its address table, and in this case, the first authorized terminal 220 mistakes the MAC address of the attacker 240 for the MAC address corresponding to the IP address of the second authorized terminal 230, and transmits the data to the attacker 240. When wireless data is not encrypted, the attacker 240 can monitor the wireless data and ultimately find all data transmitted by the first authorized terminal 220 to the second authorized terminal 230. However, when encryption of wireless data is performed by a dynamic key allocation method on a wireless LAN network to which the WPA or IEEE 802.11i standard is applied, the attacker 240 cannot find the data. Accordingly, through the ARP poisoning attack performed as described above with reference to FIG. 2, data to be transmitted to another terminal can be monitored and modified in the middle.
The second-layer denial of service attack shown in FIG. 1 cannot be detected because a wire intrusion detection system generally analyzes frame of third or higher layers. The ARP poisoning attack on the wireless LAN is a third-layer attack, but detection of the attack is impossible because the wire intrusion detection system analyzes only wire frames.
In addition to the attacks shown in FIGS. 1 and 2, there are a variety of attacks that cannot be detected by the conventional wire intrusion detection system on a wireless LAN network, such as a rogue access point attack, an attack based on 802.11i message integrity code (MIC) failure, a denial of service attack using the characteristic of the 802.11f protocol.
Accordingly, a technology enabling detection of a variety of attacks occurring on a wireless network is much needed.